Skip to content

Commit

Permalink
[Security] Disable unused background services: wpa_supplicant and cups.
Browse files Browse the repository at this point in the history
Signed-off-by: Giacomo Marciani <mgiacomo@amazon.com>
  • Loading branch information
gmarciani committed Feb 19, 2024
1 parent 51b2ec1 commit addc64f
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 22 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
- Add the configuration parameter `DeploymentSettings/DefaultUserHome` to allow users to move the default user's home directory to `/local/home` instead of `/home` (default).
- SSH connections will be closed and rejected while the user's home directory is being moved during the bootstrapping process.
- Add possibility to choose between Open and Closed Source Nvidia Drivers when building an AMI, through the ```['cluster']['nvidia']['kernel_open']``` cookbook node attribute.
- Disable unused background services wpa_supplicant and cups to improve security.

**CHANGES**
- Upgrade Slurm to 23.11.3 (from 23.02.7).
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,13 @@
service 'log4j-cve-2021-44228-hotpatch' do
action %i(disable stop mask)
end unless on_docker?

# Necessary on Ubuntu and Amazon Linux 2
service 'cups' do
action %i(disable stop mask)
end unless on_docker?

# Necessary on Ubuntu 22
service 'wpa_supplicant' do
action %i(disable stop mask)
end unless on_docker?
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,18 @@
is_expected.to stop_service('log4j-cve-2021-44228-hotpatch')
is_expected.to mask_service('log4j-cve-2021-44228-hotpatch')
end

it 'disables cups' do
is_expected.to disable_service('cups')
is_expected.to stop_service('cups')
is_expected.to mask_service('cups')
end

it 'disables wpa_supplicant' do
is_expected.to disable_service('wpa_supplicant')
is_expected.to stop_service('wpa_supplicant')
is_expected.to mask_service('wpa_supplicant')
end
end
end
end
Original file line number Diff line number Diff line change
Expand Up @@ -10,38 +10,46 @@
# See the License for the specific language governing permissions and limitations under the License.

control 'tag:testami_tag:config_services_disabled_on_debian_family' do
title 'Test that DLAMI multi eni helper is disabled and masked on debian family'
services = %w(aws-ubuntu-eni-helper wpa_supplicant)

title "Test that #{services.join(',')} are disabled and masked on debian family"

only_if { os_properties.debian_family? && !os_properties.on_docker? }

describe service('aws-ubuntu-eni-helper') do
it { should_not be_enabled }
it { should_not be_running }
end
services.each do |service_name|
describe service(service_name) do
it { should_not be_enabled }
it { should_not be_running }
end

describe bash('systemctl list-unit-files --state=masked --no-legend') do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /aws-ubuntu-eni-helper.service\s*masked/ }
describe bash('systemctl list-unit-files --state=masked --no-legend') do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /#{service_name}.service\s*masked/ }
end
end
end

control 'tag:testami_tag:config_services_disabled_on_amazon_family' do
title 'Test that log4j-cve-2021-44228-hotpatch is disabled and masked on amazon family'
services = %w(log4j-cve-2021-44228-hotpatch cups)

only_if { os_properties.amazon_family? && !os_properties.on_docker? }
title "Test that #{services.join(',')} are disabled and masked on amazon family"

describe service('log4j-cve-2021-44228-hotpatch') do
it { should_not be_enabled }
it { should_not be_running }
end

describe bash('systemctl list-unit-files --state=masked --no-legend') do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /log4j-cve-2021-44228-hotpatch.service\s*masked/ }
end
only_if { os_properties.amazon_family? && !os_properties.on_docker? }

describe bash('systemctl show -p LoadState log4j-cve-2021-44228-hotpatch') do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /LoadState=masked/ }
services.each do |service_name|
describe service(service_name) do
it { should_not be_enabled }
it { should_not be_running }
end

describe bash('systemctl list-unit-files --state=masked --no-legend') do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /#{service_name}.service\s*masked/ }
end

describe bash("systemctl show -p LoadState #{service_name}") do
its(:exit_status) { should eq 0 }
its(:stdout) { should match /LoadState=masked/ }
end
end
end

0 comments on commit addc64f

Please sign in to comment.